singularity icon indicating copy to clipboard operation
singularity copied to clipboard

Published 20 hours ago verified publisher icon sylabs

Disable --uts option in singularity.conf

Open sinirajapan opened this issue 1 year ago • 4 comments

【Request】  In singularity.conf, add ’allow userns' and 'allow uts ns' like 'allow pid ns'.

【Background】 EDA (Electronic design automation) tool uses FlexLM (https://www.flexera.com/) for license management. It is possible to restrict the access source of the license, and provides restrictions using "username" and "hostname"

【Theme】 When running the EDA tool in an environment that uses singularity, singularity exec --hostname ok_machine eda.sif eda_exec By doing so, the above restrictions can be passed by disguising the hostname. This is an issue that should be solved by FlexLM and/or EDA tools, but the situation is that singularity cannot be introduced because the developer does not support it. Similarly, by binding /etc/passwd, the user name is changed and the above restrictions can be passed.

sinirajapan avatar Jun 14 '23 07:06 sinirajapan

Not only --uts option but also disabling --hostname.

sinirajapan avatar Jun 14 '23 07:06 sinirajapan

This is not really going to be an effective way of avoiding the issue. You would have to disable unprivileged user namespaces on the system entirely, and disallow --hostname through Singularity.

On most systems these days, unshare is available. A user can unshare -u -r to get a user namespace with UTS namespace outside of Singularity. They can then set the hostname directly with the hostname command.

$ whoami
dtrudg-sylabs
$ hostname
mini
$ unshare -u -r

$ whoami
root
$ hostname bob
$ hostname
bob

Disabling the user & UTS namespaces in singularity.conf is therefore not effective. It would have to be done for the whole system by disabling unprivileged user namespaces with a sysctl. Otherwise there are easy ways to work around the configuration.

In general we prefer to avoid adding configuration options that infer some kind of security-related restriction that can easily be bypassed. As we are moving toward unprivileged execution in our upcoming OCI mode, which will require unprivileged user namespaces, I'm not sure these configuration options make sense.

Are the vendors of the software aware of the ability to bypass purely with unshare and not containers?

dtrudg avatar Jun 14 '23 08:06 dtrudg

We've already disabled user namespaces with sysctl to disable 'unshare -r'.

Other namespaces are also used by systemd on RHEL9(network, uts, etc.), so we want to keep them available.

But I don't want to be able to use it in singularity.

Are the vendors of the software aware of the ability to bypass purely with unshare and not containers?

I don't have any connection with Flexlm vendor...

sinirajapan avatar Jun 14 '23 09:06 sinirajapan

Okay. I think we'd consider a PR contributing this, but it's not a high priority to develop unless it affects a broad range of users.

dtrudg avatar Jun 14 '23 09:06 dtrudg